SEC Consult has discovered a buffer overflow in the code processing style sheet attributes. It is caused by an integer signedness error in a length check followed by a call to a string function. It seems to be hard to exploit this buffer overflow to execute arbitrary code because of the very large amount memory that has to be copied.

Impact

A remote attacker can entice a user to visit a web page containing a specially crafted style sheet attribute that will crash the user's browser and maybe lead to the execution of arbitrary code.